The ACIP project is a European Union initiative directed at providing the European R&D roadmap for Analysis and Assessment of Critical Infrastructure Protection (ACIP). ACIP focuses on research designed to identify and develop tools, methodologies and technologies for the protection of critical infrastructures. One of the major concerns of the ACIP project, according to Gwendal Legrand of the Roadmap For Provision Of Methodologies For CIS Investigations, was the fact that critical infrastructures are becoming targets of increasing physical and cyber attacks. This rose the question of whether the available methods of coping with these attacks are adequate for the enormous task of protecting huge complex networked systems. Perhaps not surprisingly, the answer was that current methods have major deficiencies that need to be dealt with in order to achieve an adequate level of security, i.e., where critical systems can continue to function, even when under attack.
The ACIP project investigated all current methods and found that that even the task of assessing a critical system's security level, an essential and initial task in any attempt to secure a system, cannot be easily done with available methods.
The scope of assessing a security level of operational systems, for example, a nation-wide electronic network, was not taken into account when current methods were planned. No method is capable of assessing hundreds or thousands of servers, various local and wide area networks, as well as standard and proprietary or home-grown systems, etc. The ACIP project determined that software tools already in place may help in such a case, but their major drawback is that they address specific information technology (IT) platforms, and lack an ‘overall’ security assessment capability. When addressing a complex system with existing tools it is easy to lose sight of the larger picture. Instead of a clear vision of a complex critical system's security level, deeper confusion may result.
Platform-specific tools are readily available, but unfortunately they can be of assistance only if the larger picture becomes clear. There are also several available high-level methods that are not applicable in most CIP instances. Most high level methods detach themselves from actual technical details in an attempt to remain the same even when technologies have changed. Perhaps the best proof for their inapplicability is the finding that the critical infrastructure's (CI's) IT operations staff, by and large, do not use high level methods, since the information that the high level systems provides is often too abstract and fails to provide a practical guide for IT professionals.
Thus, there is a need for a method that may connect both ends—the high level and the platform specific—and would produce results that the IT professionals may be able to use. The new methods must be practical and aware of the organizational issues related to the critical infrastructures.
State of the art software tools for handling security requirements are described inter alia in published US Application 2004/0103315 to Cooper et al, published 27 May 2004; in published US Application 2007/0006294 to Hunter, published 4 Jan. 2007; and in published US Application 2995.9137119 to Redlich, published 23 Jun. 2005.
The disclosures of all publications and patent documents mentioned in the specification, and of the publications and patent documents cited therein directly or indirectly, are hereby incorporated by reference.